kernel-netlink: When adding a policy do an update if it already exists

This may be the case when SAs are reestablished after a crash of the
IKE daemon.

We could actually always do updates.  The kernel doesn't care, the only
difference is the possible EEXIST if XFRM_MSG_NEWPOLICY is used.  The
advantage of not doing this, though, is that we get a warning in the log
if a policy already exists, as that should usually not be the case.

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index e0f1dd70299ccfdf1850f6f398e2f9fe52ae077f..2958b59426c9f5bc4928a46a70033166615b63f5 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2059,6 +2059,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
        ipsec_sa_t *ipsec = mapping->sa;
        struct xfrm_userpolicy_info *policy_info;
        struct nlmsghdr *hdr;
+       status_t status;
        int i;
 
        /* clone the policy so we are able to check it out again later */
@@ -2153,7 +2154,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
        }
        this->mutex->unlock(this->mutex);
 
-       if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+       status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+       if (status == ALREADY_DONE && !update)
+       {
+               DBG1(DBG_KNL, "policy already exists, try to update it");
+               hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
+               status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+       }
+       if (status != SUCCESS)
        {
                return FAILED;
        }